Mephistoles HTTPD Cross-Site Scripting Vulnerability
BID:9470
Info
Mephistoles HTTPD Cross-Site Scripting Vulnerability
| Bugtraq ID: | 9470 |
| Class: | Input Validation Error |
| CVE: |
CVE-2004-2096 |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 21 2004 12:00AM |
| Updated: | Oct 29 2007 04:26PM |
| Credit: | Discovery of this vulnerability has been credited to "Donato Ferrante" <[email protected]>. |
| Vulnerable: |
Mephistoles Internet Suite HTTPD 0.6 p2 Mephistoles Internet Suite HTTPD 0.6 p1 Mephistoles Internet Suite HTTPD 0.6 final |
| Not Vulnerable: |
Mephistoles Internet Suite HTTPD 0.6 final Mephistoles Internet Suite HTTPD 0.6.1pre1 |
Discussion
Mephistoles HTTPD Cross-Site Scripting Vulnerability
Mephistoles 'httpd' daemon fails to sanitize user-supplied input, making it vulnerable to cross-site scripting attacks. This vulnerability allows an attacker to construct a malicious link containing HTML or script code that may be rendered in a user's browser upon visiting that link. This attack would occur in the security context of the affected server.
Mephistoles 'httpd' daemon fails to sanitize user-supplied input, making it vulnerable to cross-site scripting attacks. This vulnerability allows an attacker to construct a malicious link containing HTML or script code that may be rendered in a user's browser upon visiting that link. This attack would occur in the security context of the affected server.
Exploit / POC
Mephistoles HTTPD Cross-Site Scripting Vulnerability
The following proof of concept has been supplied:
http://www.example.com/<script>alert("Test")</script>
The following proof of concept has been supplied:
http://www.example.com/<script>alert("Test")</script>
Solution / Fix
Mephistoles HTTPD Cross-Site Scripting Vulnerability
Solution:
The vendor has released updates that address this issue. Please see the references for more information.
Mephistoles Internet Suite HTTPD 0.6 p2
Mephistoles Internet Suite HTTPD 0.6 p1
Solution:
The vendor has released updates that address this issue. Please see the references for more information.
Mephistoles Internet Suite HTTPD 0.6 p2
-
Mephistoles Internet Suite Mephistoles 0.6.2.pre1
http://downloads.sourceforge.net/mephistoles/mephistoles-httpd-0.6.2pr e1-noarch.pl?modtime=1083628800&big_mirror=0
Mephistoles Internet Suite HTTPD 0.6 p1
-
Mephistoles Internet Suite Mephistoles 0.6.2.pre1
http://downloads.sourceforge.net/mephistoles/mephistoles-httpd-0.6.2pr e1-noarch.pl?modtime=1083628800&big_mirror=0
References
Mephistoles HTTPD Cross-Site Scripting Vulnerability
References:
References:
- Mephistoles Internet Suite Homepage (Mephistoles Internet Suite)
- Mephistoles Httpd 0.6.0final XSS ("Donato Ferrante"
)